OkCupid App Bug Exposed Email Addresses and Birth Dates

Early adopters of technology are often willing to accept buggier interfaces and higher prices in exchange for a first peek. But are they also willing to risk their privacy?

Case in point: On Tuesday morning, OkCupid.com launched a mobile app called Crazy Blind Date that promises to take much of the decision-making and profile-scouring out of online dating. You name a time and venue, they find you a blind date. But there was one problem: The software behind Crazy Blind Date made users’ email addresses and full birth dates accessible to anyone with the right technical skills, the Wall Street Journal found.

OkCupid plugged the security hole around 1:30pm Eastern time, after the Journal contacted the company.

OkCupid saw no evidence of anyone exploiting the glitch, according to CEO Sam Yagan. “It was essentially a typo, and really inadvertent,” he said.

The security lapse comes as users entrust more and more of their data to distant computer servers and myriad apps. In the scramble to grab users and launch new features, app developers sometimes miss problems that can divulge users’ data.

In the case of Crazy Blind Date, the sensitive data points weren’t displayed to the casual user, but were available to anyone who could examine and tweak the app’s Web traffic. In addition to email addresses and birth dates, the exposed data also included less sensitive fields such as first name, gender and profile photo.

The bug occurred in Crazy Blind Date’s API (short for application programming interface), which lets the app fetch user data. Before the fix, strangers could see the sensitive details of any of the app’s users. For example, a person with the right technical know-how could get the email addresses and birth dates of potential dates around them, even though such information is usually not available. That person could also go to an OkCupid.com profile page, find the user’s numeric ID, and use that to get their email address and birth date — as long as that user had signed up for Crazy Blind Date.

After the fix, the API provided only the user’s ID, first name, gender, desired mates’ gender, and profile photo—not the email address and birth date.